Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 21 Oct 2000 11:30:04 -0700 (PDT)
From:      Rudy <rudy@monkeybrains.net>
To:        Blaz Zupan <blaz@amis.net>
Cc:        freebsd-net@FreeBSD.ORG
Subject:   Re: Using punch_fw from natd
Message-ID:  <Pine.BSF.4.21.0010211126260.94231-100000@pizza.monkeybrains.net>
In-Reply-To: <Pine.BSF.4.21.0010212007010.70509-100000@titanic.medinet.si>
next in thread | previous in thread | raw e-mail | index | archive | help 

You can reduce the numbe of open ports --- ftpd does not use 1024-65535B

Here is the rule I use:
allow tcp from any to any 49152-65535 keep-state in recv fxp0 setup

Users do not have shell accounts on that box, so I am not worried about
leaving a bunch of high numbered ports open.  (Is this a mistake?)

Rudy



---------------------------------------------------
    Join my ISP: http://www.monkeybrains.net/
---------------------------------------------------

On Sat, 21 Oct 2000, Blaz Zupan wrote:

_I have two firewalls, protecting our two office networks. The firewalls are
_simply ipfw rules, without using NAT (and natd). The only remaining "big hole"
_I have is, that I need to open TCP ports above 1024 for incoming active FTP
_requests. I'd like to close this remaining hole and noticed the punch_fw
_option to natd, which does what I want - the problem is, that it is built into
_natd and works only on packets that are aliased by natd. But I don't want to
_do network address translation, I just need a daemon that will open incoming
_TCP ports for active FTP connections. Does anybody have a solution? Maybe a
_way to convince natd to do the port-punching without aliasing packets?
_
_Blaz Zupan,  Medinet d.o.o, Linhartova 21, 2000 Maribor, Slovenia
_E-mail: blaz@amis.net, Tel: +386-2-320-6320, Fax: +386-2-320-6325
_
_
_
_To Unsubscribe: send mail to majordomo@FreeBSD.org
_with "unsubscribe freebsd-net" in the body of the message
_



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0010211126260.94231-100000>